Chris,
Below is a summary of threats and controls for further discussion. Disclaimer:
this is my understanding from various conversations, wiki pages, bugs and IRC
chats, so it's rough, probably varies from whats implemented (or what the final
goals are), but its a starting point. Ultimately the aim is a considered
security model with security controls commensurate to the threats posed, but to
start with I want to start a discussion regarding what threats have been
considered so far in the project, and the current thoughts around what controls
are in place or planned. I know that a lot of the things below have already
been considered in the project prior to me coming on board so the main aim for
me is to run through the state of things, and start capturing the B2G security
model.
Firstly I wanted to document some assumptions:
- All B2G applications will be Web Apps - there is no such thing as native
applications. Some web apps may be treated differently though based on security
characteristics (e.g. Came shipped with the phone, loaded from trusted
location, local access only, served over SSL only etc)
- B2G will ship with a number of included Web Apps (Gaia) to handle all the
tasks of running the device. These could potentially be replaced by the user
with alternatives
- Web APIs will provide access to Web Apps so they can perform their desired
role. E.g. An app acting as a Dialer will need access to the Web Telephony API,
in order to to make telephone calls
- Access to sensitive APIs will be controlled by permissions
Threats Summary
=============
In order to discuss the security measures built into B2G, we need to discuss
the threats posed.The following is a high level list of threats for further
discussion:
- Platform Vulnerabilities
- Exploit gives control of content process
- Attack against other processes (media server, rild etc)?
- Malicious Web App
- User tricked installing malicious application
- Legitimate app is compromised at the network layer
- Compromised web app server for Web Apps hosted remotely
- Vulnerable Web App
- Web application security threats (XSS, SQLi, etc)
- Framework weaknesses (same-origin bypass, privilege escalation, abuse
communication between apps?)
- Lost device
- User data compromised
Controls Summary
=============
In response to the above threats, what controls to we want to consider? The
following controls have come up in various discussions. There are probably
other controls to be discussed/raised/captured as well.
- Low-privileged processes and process sandboxing
- Web Apps will run in low-privileged process? How is this implemented?
- Segregation between less trusted and more trusted Web App
- What about other processes (media server, rild, etc)
- Hardening of the underlying OS
- I've not seen any mention of this, but it has come up in security
discussions.
- Segregation between Web Apps
- Separate by domain, other restrictions?
- Restriction for Apps trusted with sensitive permissions
- local-only sandbox, network-only sandbox etc
- restrict cross-domain communication etc
- load only over SSL
- load only from trusted developer
- load once, then cache. Drop permissions if app changes (or prevent
from changing without update workflow)
- Restricting permissions and protection against privilege escalation
- Security restrictions for special Web App cases
- browser app (<iframe browser>, other cases?)
- permissions manager
- others?
- Data Protection
- Encryption
- Login
Discussion is 5pm (PST) tomorrow (7th) using same phone conference as b2g
meeting.
Cheers,
Paul
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
